CVE-2026-55863
published 2026-06-23CVE-2026-55863: motionEye's missing authentication on ActionHandler allows unauthenticated camera action execution ## Summary The `ActionHandler.post()` method in motionEye…
medium
motionEye's missing authentication on ActionHandler allows unauthenticated camera action execution
## Summary
The `ActionHandler.post()` method in motionEye has no authentication decorator, allowing any unauthenticated attacker to trigger camera actions including snapshots, recording start/stop, and configured action scripts (PTZ controls, alarm triggers, etc.).
## Vulnerability Details
**File**: `motioneye/handlers/action.py` — `ActionHandler.post()` line 36
**CWE**: CWE-862 — Missing Authorization
**CVSS**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N = 5.3 Medium
### Vulnerable Code
```python
class ActionHandler(BaseHandler):
async def post(self, camera_id, action): # ← NO @BaseHandler.auth() decorator
camera_id = int(camera_id)
if camera_id not in config.get_camera_ids():
raise HTTPError(404, 'no such camera')
...
if action == 'snapshot':
await self.snapshot(camera_id) # executed without auth
return
elif action == 'record_start':
return self.record_start(camera_id)
elif action == 'record_stop':
return self.record_stop(camera_id)
action_commands = config.get_action_commands(local_config)
command = action_commands.get(action)
...
self.run_command_bg(command) # executes predefined shell scripts
```
Compare with other handlers that correctly require authentication:
```python
@BaseHandler.auth(admin=True) # ← properly protected
async def delete(self, camera_id, filename):
...
```
## Steps to Reproduce
1. Deploy motionEye with at least one camera configured
2. Send unauthenticated POST:
```
POST /action/1/snapshot HTTP/1.1
Host: motioneye-host:8765
Content-Length: 0
```
3. Observe `{}` (HTTP 200) response — snapshot triggered without any credentials
For action scripts (`lock`, `unlock`, `alarm_on`, `alarm_off`, `light_on`, etc.):
```
POST /action/1/alarm_on HTTP/1.1
Host: motioneye-host:8765
```
## Impact
- Unauthenticated attacker can trigger camera snapshots on demand
- Unauthenticated attacker can start/stop video recording
- If action scripts are cAffected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| motioneye_project | motioneye | >= 0 < 0.44.0 | 0.44.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-23
Published